Home Uncategorized Analysis Utilities — Pt. 13

Analysis Utilities — Pt. 13

Posted on Posted in Uncategorized No Comments

Yes, The TREE Structure in the TREE UTMPX Entry must start on WORD-aligned boundary (8-byte aligned 32 bits), (16-byte aligned address on 64-bit)

To understand the 32/64 TREE structure in raw form: 

bazz@blade72[pts/3][/tmp] cat malloc.c
#include <stdlib.h>
#include <memory.h>
#include <thread.h>
#include <synch.h>

#define WORDSIZE        (sizeof (WORD))
#ifdef _LP64
#define ALIGN           16
#else
#define ALIGN           8
#endif

/* the proto-word; size must be ALIGN bytes */
typedef union _w_ {
        size_t          w_i;            /* an unsigned int */
        struct _t_      *w_p;           /* a pointer */
        char            w_a[ALIGN];     /* to force size */
} WORD;

main()
{
  printf ("sizeof WORD = 0x%x\n", WORDSIZE);
  printf ("ALIGN is %d\n", ALIGN);

  WORD w;
  w.w_i = 1;
  printf ("w = %d\n", w.w_i);
  unsigned char *c = (char *)&w;
  int i;

  for (i=0; i < WORDSIZE; i++)
  {
    printf ("w[%d] = 0x%1x \n", i, *(c++));
  }
  printf ("\n");

   w.w_i = -1;
  printf ("w = %d\n", w.w_i);
  c = (char *)&w;

  for (i=0; i < WORDSIZE; i++)
  {
    printf ("w[%d] = 0x%1x\n", i, *(c++));
  }
  printf ("\n");
}
bazz@blade72[pts/3][/tmp] gcc malloc.c && ./a.out
sizeof WORD = 0x8
ALIGN is 8
w = 1
w[0] = 0x0
w[1] = 0x0
w[2] = 0x0
w[3] = 0x1
w[4] = 0x0
w[5] = 0x0
w[6] = 0x0
w[7] = 0x0

w = -1
w[0] = 0xff
w[1] = 0xff
w[2] = 0xff
w[3] = 0xff
w[4] = 0x0
w[5] = 0x0
w[6] = 0x0
w[7] = 0x0

bazz@blade72[pts/3][/tmp] gcc -m64 malloc.c && ./a.out
sizeof WORD = 0x10
ALIGN is 16
w = 1
w[0] = 0x0
w[1] = 0x0
w[2] = 0x0
w[3] = 0x0
w[4] = 0x0
w[5] = 0x0
w[6] = 0x0
w[7] = 0x1
w[8] = 0x0
w[9] = 0x0
w[10] = 0x0
w[11] = 0x0
w[12] = 0x0
w[13] = 0x0
w[14] = 0x0
w[15] = 0x0

w = -1
w[0] = 0xff
w[1] = 0xff
w[2] = 0xff
w[3] = 0xff
w[4] = 0xff
w[5] = 0xff
w[6] = 0xff
w[7] = 0xff
w[8] = 0x0
w[9] = 0x0
w[10] = 0x0
w[11] = 0x0
w[12] = 0x0
w[13] = 0x0
w[14] = 0x0
w[15] = 0x0

bazz@blade72[pts/3][/tmp] cat malloc.c
#include <stdlib.h>
#include <memory.h>
#include <thread.h>
#include <synch.h>

#define WORDSIZE        (sizeof (WORD))
#ifdef _LP64
#define ALIGN           16
#else
#define ALIGN           8
#endif

/* the proto-word; size must be ALIGN bytes */
typedef union _w_ {
        size_t          w_i;            /* an unsigned int */
        struct _t_      *w_p;           /* a pointer */
        char            w_a[ALIGN];     /* to force size */
} WORD;

main()
{
  printf ("sizeof WORD = 0x%x\n", WORDSIZE);
  printf ("ALIGN is %d\n", ALIGN);
}
bazz@blade72[pts/3][/tmp] gcc malloc.c && ./a.out
sizeof WORD = 0x8
ALIGN is 8
bazz@blade72[pts/3][/tmp] gcc -m64 malloc.c && ./a.out
sizeof WORD = 0x10
ALIGN is 16
bazz@blade72[pts/3][/tmp]

Demontrated difference between ALIGN on 32-bit vs. 64-bit exe.. ALIGN is used in malloc implementation.

Check to see if strncpy puts data after null byte into destination. It doesnt :(

bazz@blade72[pts/3][/tmp] cat strncpy.c
#include <string.h>

main()
{
  char buf[32] = "LALALA\x00\xde\xad\xbe\xef";
  char buf2[32];

  strncpy(buf2, buf, 30);

  int i;
  for (i=0; i<32; i++)
  {
    printf ("buf2[%d] = 0x%1x\n", i, buf2[i]);
 }
}
bazz@blade72[pts/3][/tmp] gcc strncpy.c && ./a.out
buf2[0] = 0x4c
buf2[1] = 0x41
buf2[2] = 0x4c
buf2[3] = 0x41
buf2[4] = 0x4c
buf2[5] = 0x41
buf2[6] = 0x0
buf2[7] = 0x0
buf2[8] = 0x0
buf2[9] = 0x0
buf2[10] = 0x0
buf2[11] = 0x0
buf2[12] = 0x0
buf2[13] = 0x0
buf2[14] = 0x0
buf2[15] = 0x0
buf2[16] = 0x0
buf2[17] = 0x0
buf2[18] = 0x0
buf2[19] = 0x0
buf2[20] = 0x0
buf2[21] = 0x0
buf2[22] = 0x0
buf2[23] = 0x0
buf2[24] = 0x0
buf2[25] = 0x0
buf2[26] = 0x0
buf2[27] = 0x0
buf2[28] = 0x0
buf2[29] = 0x0
buf2[30] = 0x0
buf2[31] = 0x0
bazz@blade72[pts/3][/tmp]

Leave a Reply

Your email address will not be published. Required fields are marked *

*